Ransomware

The Gunra ransomware group, which emerged in April targeting Windows systems, has released a sophisticated Linux variant capable of running 100 parallel encryption threads—double what most ransomware allows. This cross-platform expansion makes Gunra particularly dangerous, offering attackers unprecedented speed and flexibility in file encryption.

The group gained notoriety by allegedly leaking 40TB of hospital data in May and has since targeted victims across Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the US. Unlike its Windows version, the Linux variant skips ransom notes and focuses purely on rapid, configurable encryption. Trend Micro researchers warn organizations to monitor this fast-evolving threat closely.

Source: Dark Reading

Google researchers exposed UNC3944, a ransomware group targeting US retail, airline, and insurance companies through sophisticated phone scams. The hackers call IT help desks pretending to be employees, trick staff into resetting passwords, then use stolen credentials to access virtual server systems and deploy ransomware within hours.

Unlike typical cyberattacks, they don't use malware but manipulate legitimate administrative tools, making detection extremely difficult. The group's activity declined after 2024 law enforcement actions. But other ransomware groups are now copying these tactics, making this a growing threat requiring immediate defensive action.

Source: Industrial Cyber

The Scattered Spider cybercrime group launched sophisticated ransomware attacks on July 28, 2025, targeting VMware ESXi servers across critical U.S. infrastructure including retail and airline sectors. The hackers used stolen credentials and social engineering to hijack ESXi hypervisors, encrypting multiple virtual machines at once and causing widespread business disruptions.

CISA issued an urgent advisory urging organizations to patch vulnerable ESXi systems and strengthen access controls. Security experts say their evolving tactics make detection increasingly difficult for defenders. The attacks underscore urgent concerns about ransomware threats to virtualized environments that many organizations rely on for core operations.

Source: The Hacker News

A new ransomware group called Chaos has launched attacks across multiple sectors, primarily targeting US organizations with some victims in the UK, New Zealand, and India. The gang, which emerged in February 2025, uses sophisticated social engineering tactics—flooding targets with spam emails then impersonating IT security staff over phone calls to trick victims into granting remote access via Microsoft Quick Assist.

Cisco Talos researchers believe Chaos is likely formed by former BlackSuit/Royal gang members based on similar encryption methods and ransom note structures. The group demands large ransoms (one case involved $300,000) and threatens DDoS attacks plus data disclosure if victims don't pay.

Source: Infosecurity

Ingram Micro, a major technology distributor with $48 billion in annual sales, confirmed a ransomware attack has disrupted its operations for days. The breach, attributed to the SafePay ransomware group, has halted software licensing services and left customers unable to access products dependent on the company's backend systems.

Sources suggest hackers breached Ingram Micro through Palo Alto's GlobalProtect VPN using stolen credentials. SafePay, active since November 2024 with over 220 victims, has previously targeted organizations across multiple countries. The company's website remains down, with customers reporting continued inability to access portals or receive email responses from departments.

Source: BankInfoSecurity